Search
Close this search box.

iSecurity Audit Release News

  • ADDED: The SIEM interface parser now uses -QUOTE or -DBLQUOTE to pack values in quotes. The special characters = * ( and ) that SPLUNK had misinterpreted are now changed to underscores “_”.
  • FIXED: The DSPISA command now returns the correct machine data, even if no license code has been added.
  • Added: In the Display/Check Authorization Status menu (STRAUD > 89 > 22), a sub-menu with new options, including product status from the local system and (if you have a Multi-System license) across systems.
  • Cumulative PTFs from earlier versions.
  • In the screen of user management, we changed “Select-User enabled” to “Select-User disabled”
  • In the Native Object Compliance module,  the parameter “Maximum generic* length” can now have values from 0 to 10. If set to “0” no asterisks (*) appear. 
  • Multi system query number of systems were enhanced from 30 to 100
  • When sending EMail by option IBM, the address is now between quotation marks (“).
  • Added: A watchdog for jobs in subsystem ZAUDIT.
  • Added: Previously, due to restrictions in subfiles, we had to skip log records when scrolling down and then up again. We added the function to jump to the beginning using F17.
  • Added: the watchdog send alert to Admin Email in 89>59.
  • Added: an option to decide to which OUTQ to run the watchdog.
  • Fixed: Scheduled firewall reports had failed with (MSGW) CPD0013 A matching parenthesis was not found.
  • Fixed: Group Reports with ZIP file across systems had only gotten the *CURRENT system results.
  • To avoid problems with jobq QBATCH, RLSNDM now is SBMJOB to QUSRNOMAX.
  • Added: Borders on PDF documents to make them easier to read and print.
  • Fixed: CHKISA now removes CSV files that had been left in /TEMP. 

You can now place your own logo on reports. In the product, as shipped, the file /iSecurity/LOGO/LOGO.JPG contains the Raz-Lee logo. Rename this file to LOGO-RAZLEE.JPG. Place your own logo in the LOGO.JPG file. It must be no more than 110 pixels wide by 60 pixels tall, at 120 DPI.

  • Added: Assessment can now be run by STRAUD, Option 89, 53 at any time without the need for a license code.
  • Fixed: A problem in DSPFWLOG F11 – F8 that resulted in an error due tomissing library SMZ4
  • SIEM enhancement for JR now sends more fields
  • Fixed: We removed a message saying that a library SMZE/T was not found in the license screen.
  • LOGOs were added to customize PDF user reports.
  • Fixed: Items in MFA that failed to send E Mail.
  • We customized the name of the zip file attached to the email when scheduling Audit Reports.
  • Improved: The mail client in situations where we need Java 8 to send emails (because  of new TLS versions supported in SMTP servers) but the customer uses Java 7 by default.
  • Fixed: Queries run now correctly in Password Reset PWDRST – 6Y 6X AOD – 6I 6Y   6X.
  • Added: in STRAUD, 89, 59. the first day of work week:   1=Monday, 2=Sunday, 3=Saturday.  For backward  compatibility, blank is considered Sunday.
  • Fixed: A problem in RUNAUQRY, in saving CSV to IFS Folder when F9=Email 
  • Fixed: Audit $R report in German Language
  • Fixed:  the license screen was not clear for some customers.
  • Fixed: QGPL was being replicated and caused conflict when AV process created RLDUMPF file in QGPL The setting will now be taken from 89>59>1.
  • Fixed: the iSecurity Email client now works under smtp.office365.com servers that require TLSv1.2
  • Fixed: Password protection for the Queries ZIP file. The password is now masked. The ZIP file now has password protection.
  • Improved: Performance of Internal Queries in AOD
  • Reports now always contain “END OF DETAIL REPORT” and the total number of lines.
  • Maintenance jobs now use the CHKISA program (i.e. AU#MNT, GS#MNT, OD#MNT) that shows the number of days before products expire.
  • Fixed: Description text for Entry CP/A, which had shown type AF in the newest Audit version
  • Report Generator now supports multiple system name and groups:
    The product, which previously supported a single system name or single group of system names, now can also support up to 30 system names or groups of system names, to provide more convenient multi system support.
  • Easier copying of selection items:
    In Audit Real Time Rules as well as in Query selection rules, when pressing F6=Insert, the current selection – field, test and values – is displayed, enabling the copying of a set of conditions with their values.
  • Enhanced information source #S (List of Server Share Information):
    Information source #S has been enhanced to provide all occurrences of users and their shares.
  • Repairing damaged Data Queues:
    Data Queues are used throughout iSecurity. They tend to get damaged more frequently than other object types. A new command, Re-create Damaged Data Queues (RECRTDTAQ), has been added to check for damaged Data Queues in all iSecurity products and to re-create them if needed.
    The command SMZ4/RECRTDTAQ LIB(*ALL) SCOPE(*DAMAGED) is run daily over all iSecurity Data Queues during the Audit Maintenance Scheduled job.
    This command has now been added to the Base Support menu (SCRAUD > 89).
iSecurity/System Control (packaged with iSecurity/Audit)
  • System control enhanced to check Output Queues (*OUTQ) and Job Queues (*JOBQ):
    System control can now react to situations found in Output Queues (*OUTQ) and Job Queues (*JOBQ). In addition to enabling alerting by email, messages, SIEM, and other methods, Action can provide a proactive response via a CL script (similar to a CL program, without a need to compile). Each command parameter can be a field from the event.
    To use this feature, select Status of JobSysJobQOutQ, and press F19 for more information.
    You can provide unlimited controls for each queue or for the total of all queues. You can also set Action so that it doesn’t react to situations that are static.
    Job description SMZ4DTA/AUACTQUEOP has been added to installation.
  • System control jobs keep running only when relevant rules exist:
    When all components of System Control start, they check whether relevant rules exist. If there are no relevant rules, the component ends.
    System Configuration (STRAUD > 81) enables setting the cycle time for this option.
iSecurity/*BASE (packaged with iSecurity/Audit)
  • Start Security (STRSEC) Command:
    The command has been improved to enable subsets of the displayed subjects and to provide information about products and components in several languages.
  • Enhanced Email Text:
    You can use the special words *SUBJECT (to set the message subject) and *BODY (to set the message body). Each part can have replacement values from the event. Each replacement value can include *AUTO multiple times. These are replaced by automatic messages with replacement values for their type.
    New replacement fields include:
    • &ACTION (Action ID)
    • &SEQID (Sequence ID)
    • &REASON (User text entered for this case).

    Use F9 (Add ACTION details) to add these on a green screen.
    *AUTO text for C@ has also been improved, reflecting the changes that were done to user profiles by the Change User Profile command.

  • Enhanced Run Query Commands:
    The Run AU Query (RUNAUQRY) command, and the Run FW Query (RUNFWQRY) command have been enhanced. In all places where a Query name or System name can be entered in a command, pressing F4=Names on these fields lists all the currently defined items. To denote this support, the text F4=Names is displayed in the prompt text of the command parameter.
  • Report Generator now includes a log of Queries Run:
    A log of all runs of queries is now available in Queries and Reports as option 15 – Display Query Runs. The log keeps information about the command parameters used for the run, the number of records that were in the query result set, and the output objects that were created and are still on the system.
  • Sending email from Query Results:
    Once you have generated the results that you need from a query or in report output, you can email the results or report directly from that output, rather than needing to run the report again to specify email as the destination.
  • Global Installation Defaults:
    Option STRAUD > 89 > 59 now enables attaching empty reports. This may help auditors to ensure that, even when a report is empty, the selection rules of the report did not change.
  • New feature: Input Sampling STRAUD, 2, 3. Input Sampling – A sampling option has been added to eliminate the collection of repetitive information. It is possible to set each audit type for each User, IP range, or Object.  Only a single set of identical information will be collected out of a group of sets or during a specified number or seconds. Usage of Input Sampling saves CPU, IO and disk space.  It contributes to the legibility of the information that is collected. You might use it, for example, for audit types ZR and ZC, which audit object access for Read or Change respectively. Clients usually find it important to be aware of such information, but are not interested in recording a high number of identical entries.
  • New feature: New Information Source $R IFS Objects was added to provide information about IFS objects and their authority
  • New feature: Control and Trace Audit Active Journals STRAUD, 2, 35. Work with Audit Active Journals – This  option enables you to control and trace the collection of information from the journals that Audit traces: QAUDJRN, QIPFILTER, QIPNAT, QACGJRN, QQOS, QSNMP, QDSNX, QVPN, QZMF. Use option 31. Start Real-Time Auditing to start tracing for the first time.
  • New feature: Auditing journal receivers that are not currently attached to the current chain (*CURCHAIN) of receivers. Sometimes there is a need to audit an old journal receivers that are not currently attached to the current chain (*CURCHAIN) of receivers. A new command STRAURCV Audit Disconnected Receivers, enables to do this manually. To use:
    • Activate Audit.
    • Use STRAUD, 2. Activation for all following activities.
    • Use 5. Work with Active Jobs to end the relevant journal job that runs in ZAUDIT subsystem. This job has the name of the system if it referrers to QAUDJRN or the name of the journal for any of the other supported journals – QIPFILTER, QIPNAT, QACGJRN, QQOS, QSNMP, QDSNX, QVPN, QZMF.
    • Use 35. Work with Active Journals, and write down the current status of collection,
    • Use 33. Set/Add Start of Auditing and set it as per your needs
    • Run 34. Audit Disconnected Receivers (STRAURCV)
    • Use 33. Set/Add Start of Auditing to set the starting point of auditing, according the previously written information you took.
    • Deactivate Audit
    • Activate Audit.
  • New Feature: Real-Time Alert and SIEM Capabilities when important definitions are changes STRAUD, 82 – Option   “78.  Real-Time Alert on definition chg” now supports the full AP-Journal capabilities to alert in real-time by Email, SIEM etc., when important definitions are changed
  •  New feature: Delete of Ready Reports STRAUD, 82, 31. Delete Ready Reports – The Ready Reports keeps reports that were run in the past. PDF, CSV and HTML reports are stored in the IFS. Output Files are stored natively. It is convenient to maintain these. This option runs Delete Audit Ready Reports (DLTISRRP). It allows to select the product (*AUDIT, *FIREWALL, *ALL, range of days), and the type of storage (*IFS, *LIB, *ALL)
  • Enhancement: Status & Active Job  (SysCtl) Control This function allows monitoring Active Jobs, and well as System Status. This is done by periodic checks which can identify situations and use an Action to Alert, SIEM and run reactive CL Scripts. For the sake of enhancing usefulness:
    • Cycle time of each function has been separated to allow different delays between each of the types checks. See STRAUD, 11. General Definitions
    • It is now possible define multiple ACTIONS over a single item (Continue=Y), and prevent just this checks from often repetitive messages by the “Run action once per seconds” options.
  • Enhancement: IBM announcement on removal of a list of Audit types

    IBM has announced that it will no longer record the following audit types:

    VA         Changing an access control list

    VC         Starting or ending a connection

    VF         Closing server files

    VL         Account limit exceeded

    VN        Logging on and off the network

    VR         Network resource access

    VS         Starting/ending a server session

    VU        Changing a network profile

    VV        Changing service status

    By default these types will not be displayed in all places where Audit type Lists are presented for selection of discussion. To include, use the System configuration, and these will be displayed with the remark *REMOVED BY IBM*

  • Support for New types of journals
  • C@ – EMAIL FOOT NOTES/SENDER
  • Audit support reports for any journal, not only QAUDJRN.

  • Native Object Security fixes.

  • As a result of the Audit upgrade, AP-Journal can now send before and after information.

  • As a result of the Audit upgrade, Capture can now send HTML reports.

  • AU#MNT will not try to disable user profiles with a Q prefix.

  • In creating the “Message to Send”, multiple fields can be selected for inclusion when pressing the F7 key.
  • Report generator has been enhanced to support more types of numeric fields.; Better use of the OS PDF document creation; C@ reports user changes in real time, showing only the parameters that have changed. Its summary sub-reports can now be used over all fields.

    The Summary sub-reports (up to 3 reports that sum the data in the report in various ways, and are processed simultaneously with the regular report) have been enhanced  to provide better textual information for the grouping items.

    Main menu was slightly modified

    Work with Object Auditing has been repaired

    The command AU Analyze Default Passwords (ANZAUDFTP) issues a completion message identical to the one of the OS.

    System Control

    This module (which is now checked for proper authorization: free for Firewall and Audit customers) is composed by Message Queue & QHST and Status & Active Job . The last one can react to the following checks which are periodically tested:

    • @J    Active job information
    • @K    Job not active
    • @P    Pool not active
    • @S    System status and pool information

    The tests of the conditions were enhanced to support the full range of iSecurity Filter comparisons.

Product has been updated to support IBM i 7.4

Product now supports Firewall

  • Socket Exit Points
  • Free Style rules

Running an Action after the end of a query

Run Audit Query (RUNAUQRY) was enhanced by the parameter RUNACTEND (Run action after end of run) to run an action after the end of a query.

A possible use case is to run user programs on output files created in the query.

To build the action, use the interface of creating a new query for type $8  Query log report.

New information source for displaying the queries that were run.

This is query type $8  Query log report.

Note that the field containing the name of the output or IFS storing the results, is cleared if the file/IFS is deleted from the disk.

Query generator now prints the number of records in the report.

DSPAULOG

Command now supports:

*  Two modes to display data:

     – By columns

     – By message (as in Joblog)

   Use F13 to switch between them.

   The product will open in the mode you used last.

*  F7=Filter – to enable additional filtering of data.

Order of audit entries display.

The parameter is START(*OLD, *NEW, *DFT)

– *OLD the display starts with the oldest entry (as was)

– *NEW the display starts with the newest entry

– *DFT as specified in STRAUD, 81, 1. (System Configuration)

RUNAUQRY

Now supports the order of audit entries display.

The parameter is START(*OLD, *NEW, *DFT)

– *OLD the display starts with the oldest entry (as was)

– *NEW the display starts with the newest entry

– *DFT as specified in STRAUD, 81, 1. (System Configuration)

New information sources (Query Types)
The following information sources can be used in the Run Audit Query (RUNAUQRY). Each has several dozens of fields which usually come with their full explanation and the full information of all their possible values. Output can be Screen, GUI, HTML, PDF, CSV etc.

  • $O – information about Program and Service-Program
  • $Y – information about Modules of Program and Service-Program
  • #A – System limits trending
  • #C – PTF Groups Installed vs. Available
  • #G – Group PTF Info
  • #H – PTF Info
  • #K – Netstat information
  • #L – NETSTAT interface information
  • #M – NETSTAT routing information
  • #N – NetStat job info
  • #Q – TCP/IP information
  • #R – Current server information
  • #U – System status
  • #V – System memory pool information
  • #W – AU Active jobs
  • #X – Disk status
  • #Y – Output queue information (summary)
  • #Z – License Information

Multi System User description in query.

Previously referenced user description was not clear. It was general description.  

Now User description of referenced user in query is replaced by real user description

even if this user is existing on remote system.   

Query Summary Definitions.

Now it is possible to include summary field or count by conditioning.    

There is value of field or count that can be checked with defined value. If condition is not met then summary field is not printed.

Also user can decide in what units to compare values (Kilo, Mega, Giga) and in what order to print summary(Ascending , Descending).  

Global Changes:

While entering authorization codes in Option 81, there is a verification to ensure that the code corresponds to the product.

  • From each product it is possible to access the iSecurity Base options (89). It includes:
    • Email definitions
      • Address Book (name can represent one or list if emails)
      • Definitions of the email server
      • Restrictions for where the emails can be send to (by domains or specific emails)
    • Authority code related items
      • Add Authorization Codes – enables entering of authorization codes for multiple products by a single command
      • Display Authorization Status
      • Add Daily Check of Authorization Codes – this will send a notification email once a day if any authorization code is invalid or about to expire soon.
      • Display CPU/Lpar Information – tells you how to obtain the System/LPAR info
        without having to install any iSecurity product.
    • Other functions have been enhanced.
  • Improving LOGO sign in HTML documents.
  • Deleting empty directories in Maintenance procedure.
  • Added PORT number in Audit definitions.
  • Fixed system values calculation.
  • Enlarging Excel file output.
  • Fix convert of dates. Now it is from ANY format.
  • HTML files created now is bigger.
  • Fixed PDF creation program.
  • Work with IFS log Definitions *New*
  • Allow CPYSPLF in QZDASOINIT or any other job after SWAP in Run IOC report
  • Added new messages for queries 6V.
  • Print/display  transaction summary. *NEW*
  • In query display added Print Audit Filters and show content of ITEM or NITEM.
  • In query display also fixed page length in query print file.
  • Fixed screen messages for “Restore deleted User profile” program.  
  • In selection of Query new security settings for JR.
  • In queries printing new settings for PDF files. Now PDF is printed as special printer override.
  • Fixed issue with incorrect Last Change date information of queries.
  • Fixed problem with 6I type query – AOD
  • Deactivate Audit IFS Logs *NEW*
  • Allow CPYSPLF in QZDASOINIT or any other job after SWAP
  • Display User Activity *NEW*
  • Allow to send SSL Secured Mail.
  • In STRSEC>89>59, a new parameter was added:

Mask UsrPrf with dft pwd. ??--??---- ?=Display,
%=Display, random if blank

This new parameter is used to define which characters will be displayed at Audit $P
reports output.

Example:

A$P
$P Users with default password
Control: T, B, +/-
User |User |Display S
|Class |Informati
| |
AA--CC---- *USER *SYSVAL
AB--E ---- *USER *SYSVAL
AG--UP---- *SECOFR *SYSVAL
AL--X ---- *USER *SYSVAL
AL--22---- *USER *SYSVAL
AO--PC---- *USER *SYSVAL
AU--SE---- *USER *SYSVAL
AV--HA---- *SECOFR *SYSVAL
AZ--  ---- *USER *SYSVAL
AZ-- ---- *USER *SYSVAL
A1-- ---- *USER *SYSVAL
A1-- ---- *USER *SYSVAL
A6-- ---- *USER *SYSVAL
BA--CH---- *USER *SYSVAL
BB-- ---- *USER *SYSVAL

  • New sources of information for queries added.
  • QHST support now includes break‐down of messages into their parameters.
  • Query Generator enhanced to support three different groups of summaries.
  • A support of IASP is now available.
  • Export Query – Users may now select one or more queries and export them to a remote machine/LPAR.
  • Multiple reports may now be ZIPed into a single file.
  • “No Data” Notification Added to Email Subject of Empty Reports – Subject name contains *NO DATA* will indicate “No exception found”.
    Since security is based of exception identification, this addition saves time as there is no need to open empty reports.
  • There is an optional enhanced auto‐disable of user profile with generic names.
  • There is now an auto delete of dormant or disabled user profile.
  • Copy time group – export/import feature now enable the delete of entries from the remote system.
  • Support of generic options is now available for general groups.
  • Domain restriction while sending email form Audit to inhibit sending emails to unwanted recipients.
  • There is a new query option to use initial object selection for reports.
  • There is a new $R query for IFS lists.
  • Queries footnote now contains the initial filter selection.
  • Report group summaries are available now.
  • Groups export – import feature includes delete on remote.
LEEF, CEF Field mode support, with Sub‐Type sensitivity
  • LEEF – a standard used by IBM® QRadar™, as well as the CEF used by HP™ ArcSight™ and others, are now supported. Both offer the sending of data in Field Mode by pairs of Field name and Field value.
  • iSecurity™ supports all QAUDJRN messages.
    Formatting is by Audit Type and Sub type or by Firewall server.
    In this way, for audit types that represent different activities, e.g. Type OM with sub
    types: M-Move and R-Rename, only relevant fields will be sent.
  • QHSTQSYSOPR and any other Message Queue are supported in LEEF and CEF field mode.
  • Standard message support, i.e. message edited with its replacement values is preserved.
    This enables sending information in any free format as well as LEEF and CEF.
SMS and Special Support

Standard support for SMS (“Text”) and Special Message from within Audit is now available.

The Special Option is usually used for Beeper messages.

The SMS and Special Support feature utilizes the support of eMail‐to‐SMS/Special functionality provided by many telecommunication service providers.

In the USA and some other countries this is a free service.

To use the SMS/Special Definitions option, type: STRAUD>81>12

Support for Add QAUDJRN Sequence Number to SIEM
*CEF/*LEEF Fields

Support was added for the Add QAUDJRN Sequence Number to SIEM *CEF/*LEEF fields.
It is triggered by a new option in Global Installation Defaults (STRAUD>89>59).

Messages to SIEM in *CEF Structure

Messages to SIEM in *CEF Structure now allow customers to select whether Standard CEF Extension Field Names are sent or not.

The default is – Y.

This feature is controlled by a new parameter in the Global Installation Defaults (STRAUD>89>59>Page Down ) and the field name is Standard CEF Extension Field Names.

QHST SIEM Support

The support for QHST SIEM was changed to utilize the advantages of OS/400™ Asynchronous Job.

Other internal changes were also implemented.

The OS/400™ Asynchronous Job improves system performances.

QHST Duplication Prevention

An internal software assessment was added to prevent duplicates.

Bug Fix
  • DSPAULOG now properly supports OUTFILE for type CP.
  • CHKISA and DSPISA (Check/Display iSecurity Authorization Status) now reports status of Authority Code of IMPERVA SecureSphere™ Agent.
New Audit Codes

New Audit Journal entry types and sub‐types were added to support OS/400™ Releases up to 7.3.

Also, new fields codes were added to existing Audit™ types in 7.3, including refresh of
IBM® texts for convenient user experience for values and descriptions.

Global Installation Defaults Enhanced

This option has been enhanced and reshaped.

Among the enhancements:

  • Product‐Admin Email.
  • Add SYSTEM to query mail subject.
Review and Update of Description and Possible Values of all Audit Code Fields
  • Since Audit provides a description of fields in the Audit Entries, along with their possible values (codes), a full review and update, as necessary, of all field text Audit Codes was supplemented.
  • The number of fields in Audit Journal Entries reached 5 digits.
  • Customers are reminded that on display screens, pressing Help while pointing to a field will display the field description, possible entries, and their description.
  • Once on entry screens, pressing the F4 key while pointing onto a field will display the above and enable selecting one or several values (for LIST comparison).
New Audit Type

In STRAUD>1>1, new Audit Types were added to support OS/400™ Release 7.3.

These include:

*NETSECURE V7R3M0 36. | Secure network connections
*NETTELSVR V7R3M0 37. | Telnet Server connections
*NETUDP    V7R3M0 38. | UDP traffic

NOTE: Starting with OS/400™ release 7.3, the role of *NETCMN was changed – it now only writes security Audit Journal Entries for
a subset of the *NETSCK functions. It does not write security Audit Journal Entries for accepts and connects.

Audit™ types CP and C@ (User Profile Changes) were enhanced.

Changes related to OS/400™ release 7.2
  • New Audit Types:
    • *PTFOBJ Changes to PTF objects
    • *PTFOPR PTF operations
  • New Audit Journal entries:
    • AX Row and Column Access Control
    • PF PTF Operations
    • PU PTF Object Changes
    • X2 Query Manager Profile Changes
Raz‐Lee Entry Types Added

A new Raz‐Lee entry type was added – $F Command Attributes for Limited Capabilities users (STRAUD>41>1).

The $F Command Attributes can be used to create reports about Limited Capabilities
users and more.

Deleting Unused Disabled Users

Users who were in the *DISABLED state for a long period of time may be deleted
according to their Last used dateCreate date, and Sign on date.

User Profiles which are Group Profiles will never be deleted.

Exceptions may be added to generic* names list and excluded from delete even if *DISABLED.

NOTE: Users in the disable exceptions list cannot be deleted.

NOTE: During Auto‐Deletion, some messages are sent to QSYSOPR.

Global Installation Configuration Update

Global installation configuration (STRADU>89>59) was enhanced by:

  • Refresh Z* report definitions: Y
    Y=Yes, A=Replace all
  • *AUTO Level of message: 1
    1=1st‐*AUTO12=2nd‐*AUTO2
  • Standard auto disable – Y
    Y=Yes
    NOTE: Check manual before changing.
  • For SIEM:
    • Syslog source Port/IP
    • TLS Application ID SIEM
New Email Support Introduced

A new email update was installed into Raz‐Lee’s products.

New Email Support Introduced

In STRAUD>82>93, the option to copy queries From/To the SMZ4DTA file exists.

By selecting the file to back up, the user can save queries or recover queries in the event of data loss.

NOTE: This activity requires backups of files AUSELQP and AUSELCP to be on both the From and To libraries.

Export/Import Definitions

Export/Import definition commands now support:

  • Configuration file
  • Scheduled Entries
CEF and LEEF

Improved CEF and LEEF support was introduced.

Check Raz‐Lee Authorization (CHKISA) has New OUTPUT(*EMAIL) Support

Status of authorization codes will be emailed with new check Raz‐Lee Authorization OUTPUT(*EMAIL) support.

Set Start of Auditing Time (SETRTAUD)

Set Start of Auditing Time (SETRTAUD) was enhanced to enable entering the QHST
transmission Starting date and time.

Triple Syslog Definitions

Raz‐Lee’s Audit product now support sending Syslog messages to up to three (3)
SIEM products simultaneously:

  • In Syslog definitions, select option 81 in from the main menu of any product (i.e. STRAUD>81>32/33/34 or STRFW8171/72/73).
    The SYSLOG message is now enabled for multiple SIEM messages (note the SIEM 1SIEM 2 and SIEM 3 option items) and message structures using built‐in as well as mixed variables and constants.
  • The feature enables adjustable PortSeverityFacility and Length while offering Syslog Types: UDP, TCP and TLS (encrypted) support in CEF and LEEF and
    user editable modes, using filters for relevant fields.
  • Processing of SIEM is done on a separate job per SIEM.
    A buffer exists to allow intermediate communication problems, or SIEM downtime.
  • Once this buffer is full, the processing is delayed.
    A message is then sent to QSYSOPR, and an attempt is reconstructed while communication is made periodically and consistently.
ZIP Report Generator Output

The ZIP parameter was added to the report generator command.
When using the Report Scheduler, it is possible to specify ZIP in the group definition.
Doing so will ZIP all following report output to a single ZIP file.

Unique Support of Message Field for LEEF and CEF mode

OS/400™ Messages are defined as text with “Replacement Variables”: &1, &2… iSecurity has the capability of extracting the “Replacement Variables” and placing them as proper pairs of Field name and Field value, when LEEF or CEF mode is defined.

Currently the product supports several hundreds of most popular messages.

For example, let’s take message CPF1164 with the following text:

“Job 654242/QSYSOPR/BACKUP ended on 7/03/16 at 01:00:06;
1.267 seconds used; end code 50”.

Field Name: Field Value
Msg_ID: CPF1164
Msg_file: QCPFMSG
Msg_Queue: QHST
Msg Job: 654242/QSYSOPR/BACKUP ended on 7/03/16 at 01:00:06; 1.267 seconds used; end code 50
Job_name: BACKUP
Job_user: QSYSOPR
Job_number: 654242
Ended_on: 7/03/16
At: 01:00:06
CPU_seconds_used: 1.267
End_severity: 50

NOTE: Not all fields appear in this example.

The highlighted information represents the extraction of replacement variables from the message.

This has very important implications as it provides a standard access to all the message data fields.

This is an iSecurity™ unique feature which is new to the market. Presently iSecurity™/
Audit supports several hundreds of these messages, a number which will grow.

  • Major performance change in LOG and Report access time. Improvement of 80% expected in certain situations.
Source IP Determination
  • In Global Installation Defaults (STRAUD>89>59), a SYSLOG source Port/IP field was added (UDP only).
  • Major performance change in LOG and Report access time. Improvement of 80% expected in certain situations.
Moving Query Definitions

A new function Copy Queries from Backup (STRAUD>82>93) enables technicians to load a full set of reports (i.e. files AUSELQP and AUSELCP from SMZ4DTA) to a user defined library and select which reports to copy from it.

Once selected, the user has to select the From and To libraries, and following press on the Enter key, the list of reports in the From library is displayed.

This option may be important, for example, when some reports have been accidentally deleted, and there is a need to load them from a backup.

  • New or Improved Query Sources of Information

In Work with Queries (STRAUD>41>1), the following new report types were added:

$H File members

This type provides reporting of large file members, file members that require reorganization, obtain source members names that were used to create the objects, and more. $H can be run if 1=Fast mode (takes minutes for the entire system), or 2=Standard mode (takes much longer).

Choose according to the operating system’s level and the type of information required, as the Standard mode includes more fields.

$X Library information [run RTVDSKINF first]

Library information, including size and percentage of disk space is included.

The execution of a report of this type requires a pre‐run of the standard Retrieve Disk Information (RTVDSKINF) Command.

Information is then taken from this run.

$@ History log

Reports information from the QHST log.

$9 Interface to any spool file query

Intercept any number of spool files that are created by execution of a command or a program.

The spool files are assembled into free format text that is handled by the report generator.

Using this $9 type the full range of the report generator capabilities are opened for use, including HTML, PDF output.

Running on multiple systems, sending by Email and more.

Exporting & Moving Query Definitions
  • The Work with Queries (STRAUD 41>1) enables exporting selective queries.

To do so select X=Export for one or many queries, in one or more instances.

When F3=Exit is pressed, a screen is displayed allowing the user to specify the target system or systems group (Multi System must be available).

Alternatively, *NONE can be entered.

*NONE will display the name of the *SAVF that is created, and the Import command parameters that are required on the report system to load the exported reports.

With *NONE it is the customer’s responsibility to transfer the *SAVF to the target systems.

  • A new function Copy Queries from Backup (STRAUD 82>93) enables technicians to load a full set of reports (i.e. files AUSELQP and AUSELCP from SMZ4DTA) to a user defined library and select which reports to copy from it.

Once the reports are selected, the user has to select the from and to libraries, and after pressing the Enter key, the list of reports in the From library is displayed.

This option may be important, for example, when some reports have been accidentally deleted, and there is a need to load them from a backup.

New Query Capabilities with Sort‐Break Level, Sort Order, and Multi System

The Query Generator was enhanced to support sorting and layout of sorted data:

  • Break after change of a specified number of key fields will cause a subtitle to appear when a change is encountered. Fields that appear on the subtitle will be omitted from detail lines.
  • Sort order can be defined as A=Ascending D=Descending
  • Records to include can be 1=All 2=One record per key (this item is mentioned to show the complete picture).
  • When a query is running on multiple systems, the System Field containing the System Name will be implicitly added to the printed fields, if not there.
Additional Queries
  • Some new queries were added to include the Definitions in the Query Generator:
    • Z$9_AUDFN $9 Audit definitions
    • Z$9_FWDFN $9 Firewall definitions
  • A wide set of object related reports. To view them, subset by “classification=Q”.
    NOTE: Most reports default to QGPL information, in order to prevent unintentional run of such a query for the entire system – a long process.
    • Z$I_CHG    $I Objects changed (QGPL), Exc. PF
    • Z$I_DMGED  $I Damaged objects (QGPL)
    • Z$I_MISS   $I Objects which their sources are missing (QGPL)
    • Z$I_OBJC   $I Objects by creator (QGPL)
    • Z$I_OWN    $I Objects by owner (QGPL)
    • Z$I_SCOFR  $I Objects owned by QSECOFR (QGPL)
    • Z$I_SIZE   $I Largest objects (QGPL, Above 100MB)
    • Z$I_SRC    $I Objects source (QGPL)
    • Z$I_SYS    $I Objects by system (QGPL)
    • Z$I_UNSVD  $I Unsaved objects (QGPL)
    • Z$I_USE    $I Objects by Usage Date (QGPL)
    • Z$J_OBJ    $J Object authority (QGPL), by object
    • Z$J_USR    $J Object authority (QGPL), by user
    • Z$K_ALL    $K User profile job descriptions with high authority
    • Z$Q_SCOFR  $Q Programs that adopt QSECOFR authority
    • Z$U_ALLUSR $U All Authorization Lists Users
    • ZCO_ALL    CO All Created Objects
    • ZOR_ALL    OR All Restored Objects
New Network Attributes Added

Some Network Attributes were added, including: DTACPRDTACPRINMALRHLDCNT.

This might affect Set Audit Compliance Base‐Line (STRAUD>41>62), as well as relevant reports.

Auto‐Delete Unused Disabled User Profiles
  • A new function was added for Auto‐Delete of Unused Disabled User Profiles (STRAUD>62>21-22).
    This function (available from release 6.1 and up) will delete users who were in *DISABLED state for a long period as stated by their Last Used DateCreate DateSign‐on Date.
    User Profiles which are Group Profiles will never be deleted.
  • An Exception List which accepts generic* names can be used to exclude certain user profiles.
  • User profiles which were already excluded from Auto Disable (STRAUD>62>11-12)
    are considered as excluded in this function, even if found *DISABLED.
  • Some reports accompany the Auto‐Delete function:
    • ZDO_INADLT DO – Users that were DELETED due to inactivity.
      This is a standard report.
    • Z$@_INADLT $@ – Log of Auto‐Delete activity.
      This includes information on users that could be deleted and users which, from
      some reason, could not be deleted.
      This is a textual report that includes two (2) types of messages:
      • Auto‐Delete – User XXXX could not be deleted:
        MsgId + MsgText of the reason.
      • Auto‐Delete – User XXXX inactive since YYYY‐MM‐DD deleted.

During Auto‐Deletion, these messages are also sent to QSYSOPR

Global Installation Defaults Enhanced

This option was enhanced and reshaped.

Included in the enhancements:

  • Product‐Admin Email
  • Add SYSTEM to query mail subject
Email Definitions

The Email Configuration Screen (STRAUD>89>2) now supports F10=Verify Email configuration.

Selecting this option will result in sending a mail to the Product‐Admin Email that is defined in Global Installation Defaults (STRAUD>89>59).

DDM Data Queues Extended Support
  • IBM has repaired its definition requirements for DDM Data Queues. See: http://www-01.ibm.com/support/docview.wss?uid=nas8N1020951. Accordingly, a new parameter was added for the System Definition (STRAUD>83>1). Entry of this parameter is
    recommended in all cases, and is required based on the PTF level of the system.
  • The DDM Data Queues are re‐constructed automatically by the System Definition option (STRAUD>83>2). This program also handles the TCP/IP Host Table Entry and performs ADDTCPHTE or CHGTCPHTE to automatically apply the definition.
Support of User Absence Security was extended to all Releases

User Absence Security (STRAUD>62>41) and current implementation and displays are available for all releases of OS/400™.

  • During Audit installation, a repository of all user profiles and their parameters is built to support the C@ audit type that shows the changes in the user profile parameters in the format of Parameter: New‐value (old‐value).
    In installations with a large number of user profiles this meant that the installation process was significantly extended.
    This process is now run in a separate job, considerably shortening the installation process.
  • Audit Export/Import now handles groups.
  • In Syslog Definitions (STRAUD>81>32), the SYSLOG message was changed to now include the Sub‐Type of the Audit type.
  • When the result of a query is an IFS file, the date is now included in the object name.
  • Changes were made to the JS Audit type to clarify the report information.